SubdoMailing Manipulates Subdomains To Send Spam

February 27, 2024 TH Author headline,hacker,email,spam,fraud

An operation that manipulated more than 8,000 subdomains belonging to or affiliated with major brands was found to dispatch vast quantities of spam and malicious emails that were able to slip past most common security controls.

A blog post Feb. 26 on Medium by Guardio Labs reported that the malicious activity — dubbed “SubdoMailing” — leverages the trust associated with well-known brands such as MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel and eBay.

In one example of a malicious email, the researchers showed how it was cleverly crafted as an image to dodge text-based spam filters. It then triggers a series of click-redirects through different domains, redirects that check the device type and geographic location, leading to content tailored to maximize profit. It could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling the victim out of money more directly.

“We’re clearly facing a formidable operation characterized by significant expenditure and substantial revenue,” said Nati Tal, head of Guardio Labs.

Hijacking subdomains to enhance the sending domain’s reputation serves as just one angle for criminals to get email delivered reliably to their victims’ inboxes, said Robert Duncan, vice president, product strategy at Netcraft.

Duncan said his team has also seen the use of QR codes to bypass URL-based security controls and the use of legitimate email delivery services like SendGrid, which was used in a recent campaign by criminals targeting SendGrid’s own customers.

“Along with the use of URL shorteners, redirectors which route requests differently for different visitors, and other cloaking techniques, these tricks are all part and parcel of the battle for criminals to reach inboxes,” said Duncan. “Equally, SPF, DKIM, and DMARC remain an effective weapon in the defender’s arsenal with the ability to significantly improve an organization’s email sending posture and protect their own brand.”

Duncan explained that email was designed in an era where security wasn’t a top consideration. SPF, DKIM, and DMARC have been layered on after the fact — and it shows, said Duncan. They are tricky to deploy robustly and, as shown in this research, need to be maintained with great care to avoid being exploited by criminals.

“With increasing tightening of email sender requirements from Gmail and Yahoo, we’re likely to see increasing ingenuity from criminals seeking to exploit weak DMARC, SPF, and DKIM setups to continue sending malicious email at scale,” said Duncan.

Patrick Harr, chief executive officer at SlashNext, added that the industry has had a false sense of security around trusted domains, as they have never been fully safe. Harr said his team has seen tens of thousands of malicious subdomains hiding in trusted domains. Right now, Harr said there are 149,345 live phishing threat URLs in SlashNext’s threat feed that are on legitimate, trusted domains.

“While it’s important to have DMARC, DKIM and SPF, it’s not going detect these threats,” said Harr. “It’s critical to have AI technology like computer vision in your security stack that can look past the domain reputation to detect these threats which are hiding on legitimate sites.”